[Snort-sigs] Help identifying source of strange signature

Thomas M. Payerle payerle at ...445...
Sun Mar 17 11:58:02 EST 2002


My apologies in advance if this is not the right forum for this question.
Any assistance or direction to a more appropriate forum would be appreciated.

I have heard of snort for some time, but only recently began running it 
because I really don't have a good place to put the monitoring station
(I have responsibility for a single department on campus, with most networking
issues handled at a more central location with me just a departmental liasson.
Our building network is highly switched, and I have no real access to the
switches, so I really can only snort the handful of segments I really control,
and not those of the segments I do not directly control but have some 
responsibility for).

Recently, about a month ago and a few days ago, there was what I believe was
an attempt at a network DOS against us.  Not very successful (background 
broadcast rate jumped up a factor of 30-40), but wired network was only barely
noticeably sluggish from it.  Some wireless hubs became unusable, and that was
extent of damage.  But the attack, which stopped on its own after a few hours,
 appeared to come from about 6 machines inside the building, presumably that
had been compromised and some sleeper program like used for DDOS installed.

The sleeper program attacks by making up source and destination IP addresses
within the building (actual IP addresses in use, and all agree on them, but
not the addresses of compromised machines), a forged source MAC address (which
appears unique for each compromised machine, but not corresponding to any real
MAC address in building), and a forged destination MAC address (which does not
exist in building, hence causing the packet to propagate throughout all LAN
segments).  In the heat of the attack, packets coming out every msec or so.

Before and after the attack, however, there is still some odd traffic coming
with those forged MAC addresses, namely UDP traffic from port 800 (a forged MAC address corresponding to one used in the attack)
to port 800 (broadcast MAC address).

I was hoping to use the above information to try to figure out what is lurking
on the compromised machines, and realized that this is the sort of thing IDS
systems like snort do, so tried installing snort (as being broadcast, didn't
matter that is only viewing a single segment).  Unfortunately, the above 
traffic did not raise any alarms in a "default" snort system.

Does anyone recognize the above attack signature, or know of any other 
repositories of IDS signatures anywhere?  Or was my subnet honored with the
privilege in being someone's testbed to develop something new?

Any assistance will be appreciated, and if/when I figure out what it is I will
try to write a snort signature for it.  My apologies again if this is not the
appropriate venue for this request.

Tom Payerle 	
Dept of Physics				payerle at ...445...
University of Maryland			(301) 405-6973
College Park, MD 20742-4111		Fax: (301) 314-9525

More information about the Snort-sigs mailing list